Data thief threatens to strike again

An e-mail author claiming to be the thief who released as many as 25,000 stolen credit card numbers earlier this month told NBC News he'll soon start distributing more card numbers on a new Web site. "Maxus", aka "Maxim", claims to have stolen 300,000 credit card files from online music retailer CD Universe.
Written by Mike Brunker, Contributor
An e-mail author claiming to be the thief who released as many as 25,000 stolen credit card numbers earlier this month told NBC News he'll soon start distributing more card numbers on a new Web site. "Maxus", aka "Maxim", claims to have stolen 300,000 credit card files from online music retailer CD Universe. The site he set up to hand out stolen card information was shut down over the weekend, but a writer identifying himself as the thief told NBC he'll open up a new site "soon." In a separate note to MSNBC, the same writer hinted part of his motivation was to criticize e-commerce companies that don't do enough to preserve users' privacy.

The heist sent shockwaves through the e-commerce world over the weekend. The intruder, who claims to have plundered 300,000 credit card numbers from an Internet music retailer's computers, posted thousands of numbers on a Web page after failing to force the company to pay him US$100,000. The FBI is investigating the theft and attempted extortion, and the company, CD Universe, said it was advising customers that their credit card data could have been compromised.

Word of the extortion plot surfaced Friday, when the thief contacted a California computer security firm and directed employees to the Web site where he apparently had been posting the credit numbers since Christmas Day. Asked why he thought CD Universe refused to pay him the US$100,000, Maxus replied (sic) "They ... prefer money vs. people privacy."

He also said he still has access to the CD Universe credit card database and can still glean credit card numbers from the site.

Brad Greenspan, chairman of eUniverse, the parent company of CD Universe, said Monday that company officials and an outside security firm it had hired were still attempting to determine how the thief had made off with the financial information. But he said there are reasons to believe that other online retailers also could be vulnerable.

Other sites could be vulnerable
"The hacker has said that there's a flaw (in the ICVerify software that CD Universe was using to process its transactions) ... in a general sense, not just that he found that flaw in our system," he told MSNBC.

Representatives of the software maker, CyberCash of Reston, Va., did not return calls Monday seeking comment.

The New York Times reported that the extortionist, a self-described 19-year-old from Russia using the name Maxim, claimed in e-mails that he used some of the credit card numbers to obtain money for himself.

On the Web site, which was shut down Saturday, the thief said e-mail and faxes had been sent to the company warning that he would publish the credit card numbers and other information obtained through an unspecified "security hole" in the company's e-commerce software. "Pay me or I publish it," the thief claimed to have warned the Wallingford, Conn.-based company by e-mail and fax.

CD Universe and its parent, eUniverse, said they were working with the FBI to track the intruder.

Unauthorized purchases detailed
The company said it had not received any reports that customers' credit card numbers had been used to make unauthorized purchases.

But APBNews.com, an Internet publication focused on crime, said it obtained 32 credit card numbers before the Web site was removed and had verified at least two fraudulent purchases -- one for US$1,000 of computer equipment and another for US$1,250 worth of unspecified goods -- from the more than a dozen victims it was able to reach. One of those charges occurred on Saturday, the day the extortionist's Web site was shut down and two weeks after he posted his first credit card numbers.

APBNews also reported that two of the cardholders said the card numbers that were posted on the site were replaced and cancelled months ago, indicating the stolen database may have been old. Also, all of the credit cards were due to expire between February and April 2000, it said.

Customers contacted
Greenspan, the eUniverse chairman, said the company was in the process of contacting its customers and advising them of the theft.

"We're working with the credit card companies and we will be and are in the process of informing our users and giving them the appropriate information so that they can make an informed decision (on whether to cancel the cards)," he said.

American Express Co. said Monday that its online fraud guarantee will protect its customers from responsibility for unauthorized online charges. In general, credit card holders are responsible for only up to US$50 of any unauthorized charge.

And Sean Healy, a spokesman for VISA, said that while individual banks have the final say on the matter, in most cases there will be "no consumer liability" as a result of the theft.

And while the story received plenty of media attention after the New York Times ran it on the front page Monday, the publisher of a credit-card industry newsletter said that the theft was essentially a "non-event" that would likely not even rate a mention in the next edition.

"I've been following the industry for 35 years, and credit card fraud is at a historical low point (between 7 and 8 cents per US$100)," said Spencer Nilson, whose Nilson Report is circulated in 80 countries. "There is no system that's ever been invented that doesn't cost more than the fraud costs to prevent it."

Elias Levy of SecurityFocus.com, a computer security firm that received e-mail from the "cracker" -- the term preferred by law-abiding computer hackers for those who put their skills to criminal use -- alerting it to the existence of the Web site, said approximately 25,000 of the stolen numbers were posted before the site was shut down. Levy said the intruder claimed to have obtained the database containing the credit card numbers by using a security hole in ICVerify, the credit-card processing application.

"He was not very clear on what the security problem was," Levy told MSNBC. "He claimed that he was able to use the ICVerify software to take a charge from one account and credit it to a different credit card -- basically doing a money transfer. But this is not the same thing as a hole being used to steal the credit cards in the first place."

Calls to CyberCash on Monday were not immediately returned.

First numbers posted on Christmas
In the e-mail he sent to the Times, the hacker said he sent a fax to the company last month offering to destroy his credit card files in exchange for US$100,000. When he was rebuffed, he said, he began posting the numbers on another Web site, called Maxus Credit Card Pipeline, on Christmas Day.

The hacker e-mailed the Times the numbers for 198 credit cards as proof of the theft. The newspaper said it determined the numbers were real by contacting the credit card owners, at least one of whom also confirmed that she had used it to shop online at CD Universe.

Greenspan said company officials learned on Saturday that the numbers had been posted to the Web site and immediately contacted the FBI, which was able to get the Web site, which was hosted by a Kirkland, Wash., Internet service provider, to remove it.

Like many online retailers, CD Universe rode a burgeoning interest in online shopping at Christmas to bust open sales projections for music, movies, videos and games.

CD Universe's sales were US$9.1 million last year and are projected to rise to $16 million this year, Brewer said. For the Internet as a whole, sales this past holiday season climbed more than 300 percent from the previous year to as much as US$12 billion, above early expectations that sales would double. Bob Sullivan contributed to this story.

Editorial standards